NAT static mapping not working.

Discussion in 'Cisco' started by Bas, Dec 9, 2004.

  1. Bas

    Bas Guest

    Hi,

    I've setup a static nat mapping on port 25 to a internal mail server. ANY ip
    may access this server on the public interface (interface Serial0/0.500
    point-to-point). But somehow it's not working. Anyone know what i'm doing
    wrong?

    Current configuration:
    !
    version 12.0
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname XXXXXXXXX
    !
    enable secret 5 XXXXXXX
    enable password 7 XXXXXXX
    !
    username XXXXXXX password 7 094E5B1A1300
    username XXXXXXX password 7 04482B161F015E5A48
    username XXXXXXX password 7 08224343191814
    !
    !
    !
    !
    ip subnet-zero
    no ip source-route
    no ip finger
    ip name-server 194.151.228.18
    !
    ip inspect max-incomplete high 1100
    ip inspect one-minute high 1100
    ip inspect name Ethernet_0_0 tcp
    ip inspect name Ethernet_0_0 udp
    ip inspect name Ethernet_0_0 cuseeme
    ip inspect name Ethernet_0_0 ftp
    ip inspect name Ethernet_0_0 h323
    ip inspect name Ethernet_0_0 rcmd
    ip inspect name Ethernet_0_0 realaudio
    ip inspect name Ethernet_0_0 smtp
    ip inspect name Ethernet_0_0 streamworks
    ip inspect name Ethernet_0_0 vdolive
    ip inspect name Ethernet_0_0 sqlnet
    ip inspect name Ethernet_0_0 tftp
    ip audit notify log
    ip audit po max-events 100
    isdn voice-call-failure 0
    !
    !
    !
    interface Ethernet0/0
    description connected to EthernetLAN
    ip address 192.168.101.1 255.255.255.0 secondary
    ip address 192.168.100.1 255.255.255.0
    ip access-group 100 in
    no ip directed-broadcast
    ip nat inside
    ip inspect Ethernet_0_0 in
    !
    interface BRI0/0
    no ip address
    no ip directed-broadcast
    isdn guard-timer 0 on-expiry accept
    !
    interface Serial0/0
    description MAIN WAN interface
    no ip address
    no ip directed-broadcast
    encapsulation frame-relay IETF
    frame-relay lmi-type ansi
    !
    interface Serial0/0.500 point-to-point
    description connected to Internet
    ip address 194.XX.64.97 255.255.255.240
    ip access-group 105 in
    no ip directed-broadcast
    ip nat outside
    frame-relay interface-dlci 500
    !
    interface Dialer1
    description inbelvoorziening Remote
    bandwidth 64
    ip address 192.168.30.1 255.255.255.0
    ip directed-broadcast
    encapsulation ppp
    dialer remote-name remote1
    dialer pool 1
    dialer caller XXXXXXXX
    dialer caller XXXXXXXX
    dialer-group 1
    peer default ip address pool isdnpc
    no cdp enable
    ppp callback accept
    ppp authentication chap
    !
    router rip
    version 2
    redistribute static
    passive-interface Serial0/0
    network 192.168.100.0
    network 192.168.101.0
    !
    ip local pool isdnpc 192.168.30.10 192.168.30.20
    ip nat inside source list 7 interface Serial0/0.500 overload
    ip nat inside source static tcp 192.168.100.24 25 194.XX.64.97 25 extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0.500
    ip route 192.168.30.0 255.255.255.0 Dialer1
    ip http server
    !
    access-list 1 permit any
    access-list 7 permit 0.0.0.0
    access-list 7 permit any
    access-list 100 permit ip 192.168.100.0 0.0.0.255 any
    access-list 105 permit ip host 213.XXX.100.148 any
    access-list 105 permit ip host 195.XXX.13.106 any
    access-list 105 deny ip any any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 15 0
    login local
    transport input none
    line aux 0
    line vty 0 4
    exec-timeout 15 0
    login local
    !
    end
     
    Bas, Dec 9, 2004
    #1
    1. Advertising

  2. Bas

    Ivan Ostreš Guest

    In article <>, says...
    > Hi,
    >
    > I've setup a static nat mapping on port 25 to a internal mail server. ANY ip
    > may access this server on the public interface (interface Serial0/0.500
    > point-to-point). But somehow it's not working. Anyone know what i'm doing
    > wrong?
    >
    >
    >

    [snip]
    > access-list 105 permit ip host 213.XXX.100.148 any
    > access-list 105 permit ip host 195.XXX.13.106 any
    > access-list 105 deny ip any any


    Well, it's not entierly true that any IP may access this server. Looks
    like only 2 hosts are permitted to access it. I would try to remove this
    access list from serial interface and try it then...

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Dec 9, 2004
    #2
    1. Advertising

  3. Bas

    Toby Guest

    "Bas" <> wrote in message
    news:...
    > Hi,
    >
    > I've setup a static nat mapping on port 25 to a internal mail server. ANY
    > ip may access this server on the public interface (interface Serial0/0.500
    > point-to-point). But somehow it's not working. Anyone know what i'm doing
    > wrong?
    >


    You say any IP address but you have locked it down to several with your ACL
    105

    > access-list 105 permit ip host 213.XXX.100.148 any
    > access-list 105 permit ip host 195.XXX.13.106 any
    > access-list 105 deny ip any any


    > interface Serial0/0.500 point-to-point
    > description connected to Internet
    > ip address 194.XX.64.97 255.255.255.240
    > ip access-group 105 in
    > no ip directed-broadcast
    > ip nat outside
    > frame-relay interface-dlci 500


    You have also given far too much info in your config. i know know some of
    your passwords and also have a good idea as to your IP addres of the
    S0/0.500

    Luckily for you I am not an hacker but unfortunately I do recomend you
    change those passwords as of yesterday.

    Regards

    Toby
     
    Toby, Dec 9, 2004
    #3
  4. Bas

    Bas Guest

    Ah now i see. That entry is put there because we have some remote services
    running internal, and we need to restict only thoose 2 IP's to te internal
    host.

    If i add the folowing line :
    access-list 105 permit ip any host 192.168.100.24

    Then i allow any host to my internal mail server 192.168.100.24, and only
    allow thoose 2 ips to the internal host. Am i correct?

    BTW, i will change the passwords asap.

    Thank you !

    Bas.


    "Toby" <> wrote in message
    news:0EYtd.316$...
    >
    > "Bas" <> wrote in message
    > news:...
    >> Hi,
    >>
    >> I've setup a static nat mapping on port 25 to a internal mail server. ANY
    >> ip may access this server on the public interface (interface
    >> Serial0/0.500 point-to-point). But somehow it's not working. Anyone know
    >> what i'm doing wrong?
    >>

    >
    > You say any IP address but you have locked it down to several with your
    > ACL 105
    >
    >> access-list 105 permit ip host 213.XXX.100.148 any
    >> access-list 105 permit ip host 195.XXX.13.106 any
    >> access-list 105 deny ip any any

    >
    >> interface Serial0/0.500 point-to-point
    >> description connected to Internet
    >> ip address 194.XX.64.97 255.255.255.240
    >> ip access-group 105 in
    >> no ip directed-broadcast
    >> ip nat outside
    >> frame-relay interface-dlci 500

    >
    > You have also given far too much info in your config. i know know some of
    > your passwords and also have a good idea as to your IP addres of the
    > S0/0.500
    >
    > Luckily for you I am not an hacker but unfortunately I do recomend you
    > change those passwords as of yesterday.
    >
    > Regards
    >
    > Toby
    >
    >
     
    Bas, Dec 9, 2004
    #4
  5. Bas

    Toby Guest

    "Bas" <> wrote in message
    news:...
    > Ah now i see. That entry is put there because we have some remote services
    > running internal, and we need to restict only thoose 2 IP's to te internal
    > host.
    >
    > If i add the folowing line :
    > access-list 105 permit ip any host 192.168.100.24
    >
    > Then i allow any host to my internal mail server 192.168.100.24, and only
    > allow thoose 2 ips to the internal host. Am i correct?
    >
    > BTW, i will change the passwords asap.
    >
    > Thank you !
    >
    > Bas.
    >

    Hmm interesting. I am not really up on NAT to that extent. It comes down to
    which will occur first. i.e. NAT or ACL (which address does the ACL use).
    Give it a go and let me know. (saves me a lab)

    Regards

    Toby

    P.S. change them passwords
     
    Toby, Dec 9, 2004
    #5
  6. Bas

    Ben Guest

    Toby wrote:
    > "Bas" <> wrote in message
    > news:...
    >
    >>Ah now i see. That entry is put there because we have some remote services
    >>running internal, and we need to restict only thoose 2 IP's to te internal
    >>host.
    >>
    >>If i add the folowing line :
    >>access-list 105 permit ip any host 192.168.100.24
    >>
    >>Then i allow any host to my internal mail server 192.168.100.24, and only
    >>allow thoose 2 ips to the internal host. Am i correct?
    >>
    >>BTW, i will change the passwords asap.
    >>
    >>Thank you !
    >>
    >>Bas.
    >>

    >
    > Hmm interesting. I am not really up on NAT to that extent. It comes down to
    > which will occur first. i.e. NAT or ACL (which address does the ACL use).
    > Give it a go and let me know. (saves me a lab)
    >
    > Regards
    >
    > Toby
    >
    > P.S. change them passwords
    >
    >
    >


    No, I don't think this will work (although I am reading this in a hurry).

    The ACL is applied to the outside interface therefore you must use
    outside addresses.
    If I were you I would allow port 25 period, e.g:

    access-list 105 permit tcp any any eq 25 <----
    access-list 105 permit ip host 213.XXX.100.148 any
    access-list 105 permit ip host 195.XXX.13.106 any
    access-list 105 deny ip any any
     
    Ben, Dec 9, 2004
    #6
  7. Bas

    PES Guest

    Toby wrote:
    > "Bas" <> wrote in message
    > news:...
    >
    >>Ah now i see. That entry is put there because we have some remote services
    >>running internal, and we need to restict only thoose 2 IP's to te internal
    >>host.
    >>
    >>If i add the folowing line :
    >>access-list 105 permit ip any host 192.168.100.24
    >>
    >>Then i allow any host to my internal mail server 192.168.100.24, and only
    >>allow thoose 2 ips to the internal host. Am i correct?
    >>
    >>BTW, i will change the passwords asap.
    >>
    >>Thank you !
    >>
    >>Bas.
    >>

    >
    > Hmm interesting. I am not really up on NAT to that extent. It comes down to
    > which will occur first. i.e. NAT or ACL (which address does the ACL use).
    > Give it a go and let me know. (saves me a lab)
    >
    > Regards
    >
    > Toby
    >
    > P.S. change them passwords
    >
    >
    >

    See Nat order of operation.
    http://www.cisco.com/warp/public/556/5.html

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Dec 10, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nieuws Xs4all
    Replies:
    0
    Views:
    654
    Nieuws Xs4all
    May 26, 2005
  2. Nieuws Xs4all
    Replies:
    2
    Views:
    1,658
    Jan-Willem
    May 26, 2005
  3. Replies:
    6
    Views:
    846
  4. static nat not working

    , Jan 5, 2006, in forum: Cisco
    Replies:
    0
    Views:
    641
  5. ps56k
    Replies:
    6
    Views:
    603
    ps56k
    Jun 2, 2009
Loading...

Share This Page